The Department of Defense (DoD) would like to get rid of the Common Access Card (CAC), but the problem–finding a suitable replacement. It turns out that the replacement won’t be one thing, but multiple biometric identifiers that combine to make out a person’s identity.
CACs for about the last decade have identified military personnel, civilian employees, and eligible contractors for physical and logical (building and computer) access, carrying personal information along with identifiers such as two digital fingerprints, a digital photo, and a Personal Identity Verification (PIV) certificate. While effective, they’re also not as agile or secure as the department would like. Although it is not planning to do away entirely with an ID card–and the Federal government has looked to upgrade CACs and the civilian PIV cards with biometrics features–DoD is looking for a multi-factor system to replace CAC for many uses.
In June 2016, then DoD CIO Terry Halvorsen announced a two-year plan for abandoning CAC for access to information systems saying he wanted 10 or more biometric and behavioral systems that could be used in combination–employing up to five of them at a time–for authentication. Since then, DoD has been making some headway. The Defense Innovation Unit Experimental (DIUx) last year began working with companies including Plurilock, Lastwall, and Yubico on prototyping behavioral biometrics platforms. The Defense Advanced Research Projects Agency’s Active Authentication program incorporates biometrics.
And this month, the Defense Information Systems Agency (DISA) awarded a contract to Qualcomm’s Cyber Security Solutions division to establish a pilot for using a hardware-based “actionless authentication” system for mobile users logging into DoD IT systems. The system, running on Qualcomm’s Snapdragon Mobile Platform, will operate continuously, and combine data from multiple factors using machine learning and analytics, the company said.
The push toward biometrics is in line with the Federal government’s 2017 IT Modernization plan, outlined in a report released in December by the American Technology Council. According to the report, which covers other areas of modernization, the Office of Management and Budget will release new identity management guidance by March 17.
DISA is following Halvorsen’s lead. Halvorsen has since moved on and Acting CIO Essye Miller replaced him. DISA plans to include not just traditional biometrics–like fingerprints, iris scans, and voice recognition–but others such as a person’s gait, behavioral traits like how a person handles a device, as well as patterns and cadences of speech. Combined, they will create an identity score that “will determine how much access you have to the network,” DISA’s director, Army Lt. Gen. Alan R. Lynn, said at an event last year.
The addition of some new biometrics technologies could be practical as well as secure. In some situations, soldiers or other personnel might not have time to stop for a fingerprint or iris scan, but a person’s walk, which Lynn said is as individual as a fingerprint, can be recognized at a distance, in low light and while that person is in motion. Alone, it’s likely not enough to completely confirm a person’s identity, but taken together with other factors, it can contribute to reliable authentication.
In addition to sensors and other modes of gathering information, a multi-factor biometric and behavioral system also will require the kind of advanced, fast analytics provided by recent advancements in artificial intelligence and machine learning systems.
Looks like CACs will RIP, but likely not ASAP.